FedRAMP on the Move?

Folks, just a quick preface on this new statement from the FedRAMP PMO. For the last year, FedRAMP Fast Forward, a group in which MeriTalk participates, has hosted industry and government dialogue focused on delivering tangible recommendations to increase the value of FedRAMP. We’ve taken a series of meetings with government agencies, including the FedRAMP PMO. We briefed the FedRAMP PMO two weeks ago on a new Fix FedRAMP paper that we will release Jan. 25. Seems Matt Goodrich and his team listened.

Anticipating the release of the Fix FedRAMP paper, GSA and the FedRAMP PMO released this blog Wednesday evening. Let’s hear it for change — if the FedRAMP PMO’s up for change — we’re excited to work with them. If this is just window dressing to ward off criticism, we’ll ensure to hold their feet to the fire.

We’re delighted to hear GSA’s changing. We love the direction. Now we’d all like to see the operational details.

The Evolution of FedRAMP

We asked. You talked. We’re responding.

January 20, 2016 | Matthew Goodrich , Director for the Federal Risk and Authorization Management Program (FedRAMP) in GSA
As we approached our fourth year of helping agencies secure the cloud solutions they use, we here at FedRAMP undertook a comprehensive outreach effort to learn as much as possible about how we’re meeting your needs. In response to your feedback, we’re shifting our efforts to scale the things we’re doing well, and we’re also working to improve the areas you’d like to see changed.

We asked

During the last six months, we went out and talked to you: cloud service providers (CSPs), third-party assessors (3PAOs), industry consortiums, and agencies, among other users. We also did some self reflection by conducting internal interviews. The questions we asked helped us get to the heart of what you need by providing valuable insight into how we’re delivering services and helping us identify what areas we can improve.You talked

As we talked to you, we not only asked questions but also followed your end-to-end “customer journeys” in detail. This helped us visualize how you’ve interacted with GSA and the PMO. If there’s one thing our research made clear, it’s that you’re not shy about giving us constructive feedback,and we couldn’t be happier about the insights you shared!

We heard a lot of positive sentiments about FedRAMP. Most notably, you let us know that industry sees the value in the program and that it can be a market maker. You told us other industries are using FedRAMP for their own standards, and that it has increased the government’s trust in using cloud solutions. We also heard that you want more from us. You want more visibility into where you are in the process and more transparency around FedRAMP’s data — specifically, what agencies are using the program, what cloud services are available to procure. Above all, you want the time to authorization to be much faster.

We’re responding

We’re taking your feedback to heart. During the coming weeks and months, we’ll be making some major changes based on your feedback. Things are going to happen quickly. More specifically, we’ll be focusing on four key improvements:

Increasing the speed to authorization

Increasing transparency

Piloting a high baseline

Promoting FedRAMP reuse

1. Increasing the speed to authorization
The fastest authorizations for FedRAMP have taken approximately six months. We agree with you— that’s simply too long. Our current process, designed four years ago, mirrors the time it took for authorizations to occur when it took six to twelve months to build a legacy IT system. Today with cloud, you can build a new system in days, sometimes even minutes. This means our authorization process needs to reflect that a system is already built and operational. To that end, we’re exploring changes to the authorization process to focus more on capabilities and evidence up front, rather than documentation throughout. We believe this will allow FedRAMP to scale not only for government, but for industry as well.

2. Increasing transparency

You’ve said you want better visibility into FedRAMP— both in how other people are using it and where you are in the authorization process. We’re happy to devote time and resources to do that. Our aim is to clearly show:

Which agencies are using FedRAMP

Which CSPs are authorized

Which CSPs are in the process of getting authorized

What services are available to agencies

And we want all of that information to be searchable, downloadable, and easy to find. We’ve teamed up with 18F to make this a reality by creating a public dashboard on www.FedRAMP.gov, which will be available to you by spring.3. Piloting a high baseline

FedRAMP can be a market maker, and we’re expanding what that market can be. You told us that CSPs can provide higher level of security than FedRAMP authorizes now and that agencies want to use those services. We’re on track to finalize the requirements for high impact security systems by the end of winter (read the most recent public draft of these requirements). At the same time, we’re also piloting this effort with a few vendors to be authorized via the Joint Authorization Board so that we can have lessons learned and specific areas of focus for vendors who are interested in achieving this level of security. This is all an effort to help our industry partners make an informed decision about the level of effort it takes to maintain a high system, and also enable our agency customers to understand what to expect from using a cloud service for their high systems.

4. Promoting FedRAMP reuse

We also heard that you wanted us to match CSPs with agency needs and promote FedRAMP to the right people within agencies. We recently brought on Ashley Mahan, who was born to do this and has hit the ground running. She’s already matched a CSP to be authorized with a federal agency customer in her first 15 days on the job. To keep the momentum going, Ashley will complete an “Agency Roadshow” over the next three months. She’ll be meeting with every federal agency to identify how they’re using FedRAMP and get a better understanding what types of CSPs they want to use. Follow Ashley on her tour by following @FedRAMPAshley on Twitter and the hashtag #WheresAshley.

This is the beginning

We’d like FedRAMP to become as true of a partnership between the federal government and industry as possible— and we want the FedRAMP authorization process to clearly reflect this. We need the continued engagement of both government and industry. So stay involved. We promise to continue to respond and iterate to ensure we’re meeting your needs.